Microsoft, Justice Department in Showdown Over Foreign-stored Data

The U.S. Justice Department and Microsoft will face off against each other Tuesday when the Supreme Court hears arguments on whether tech companies’ desire to protect user data is at odds with the government’s interest in pursuing criminals who use the internet.

The case, known as United States v. Microsoft Corp., has global implications and could potentially trigger an international backlash, subjecting Americans’ data to seizure by foreign governments, legal and digital rights experts warn.

“The case is important for privacy, it’s important for security, it’s important for the future of the internet,” said Jennifer Daskal, a professor at American University Washington College of Law.

At issue is whether a U.S.-based email provider can be forced, under the 1986 Stored Communications Act, to turn over communications stored outside the United States.

Email records

Federal prosecutors believed it could when they went to Microsoft in 2013 with a court warrant, demanding that the tech giant turn over the email records of a suspect in a drug-trafficking investigation. But there was a problem.

Although Microsoft kept the account’s metadata such as address books on servers in the U.S., the contents of the user’s emails were stored at a data hub in Ireland — one of over 100 such data centers the company operates in more than 40 countries.

U.S.-based internet providers had long cooperated with government requests for foreign-stored data.

But in 1993, Microsoft, under fire along with other tech companies for their role in a secret government surveillance program exposed by NSA contractor Edward Snowden, drew a line.

The company handed over the metadata to prosecutors but refused to disclose the actual emails, arguing that the data was beyond the warrant’s reach because it was stored overseas. That set off a legal battle that eventually led the Supreme Court to take up the case last year.

The case has galvanized international attention.

The governments of Ireland and the United Kingdom have both filed briefs in the case as have the European Commission and the U.N. Special Rapporteur on the right to privacy (SRP).

The central dispute is whether a warrant issued under the Stored Communications Act can be applied outside the United States.The government says it has long relied on the law to obtain electronic communications regardless of their location and that it needs the authority to secure such data for criminal investigations.

Microsoft argues that the Stored Communications Act does not have extraterritorial application. It says that the laws of the country where the data is stored — in this case, Ireland — not the laws of the United States, govern its disclosure.

Digital rights advocates and some transnational legal experts have weighed in on the side of Microsoft, arguing that a decision in favor of the government could encourage foreign governments to seize Americans’ private communications.

“You can bet many other governments in the world will come knocking on the doors of providers in the United States,” said Gregory Nojeim, senior counsel at the Center for Democracy and Technology, a Washington-based organization that has filed a brief in support of Microsoft.

European governments are already pushing back.

Belgium recently ordered U.S. providers to destroy data that the providers store in the United States, Nojeim said.

Austen Parrish, dean of the Maurer School of Law at Indiana University, noted that past attempts by the U.S. government “to extraterritorially seize documents or information from foreign countries (have) led to protests (and) blocking statutes.”

“It upsets a lot of countries because they view it not only as a violation of international law but as a violation of their own sovereignty,” Parrish said. On both counts, there is an assumption that the laws passed by Congress are designed for Americans and that they don’t violate international law, he added.

“In this case, the best result is to read the 1986 Stored Communications Act as only applying to communications within the United States,” Parrish said.

Ways to obtain data

Proponents of Microsoft acknowledge the U.S. government’s interest in foreign-stored data and point to other ways U.S. law enforcement agencies can obtain the data.One is the so-called Mutual Legal Assistance Treaty, an international agreement that allows for the exchange of evidence in criminal investigations.

Another is a bilateral cross-border data sharing agreement. The U.S. and U.K. recently negotiated such an agreement, and Congress is working to clear the way for its approval.

Regardless of how the court rules, the issue could become moot if Congress passes a recently proposed bill called the CLOUD Act. The bill would enable the U.S. government to obtain user data from email providers regardless of its location while allowing providers to decline a request if it violated the host country’s laws.

Daskal, the professor at American University, said the bill “strikes the right balance.”

But critics say it can be used by foreign governments to gather data from U.S. providers for intelligence purposes.

Both the Justice Department and Microsoft have endorsed the proposed legislation.

Short of congressional action, the court should try to strike a balance between the U.S. government’s need for data in criminal investigations and foreign governments’ need to protect the privacy of citizens, Daskal said.

“My hope is that if the court rules in favor of the government, that it does so in a way that reminds the lower courts of the importance of issuing warrants in a way that also respects conflicting rules in foreign governments as well,” she said. …